Context Committing Security of Leveled Leakage-Resilient AEAD
(2024) In IACR Transactions on Symmetric Cryptology 2024(2).- Abstract
- During recent years, research on authenticated encryption has been thriving through two highly active and practice-motivated research directions: provably secure leakage-resilience schemes and key- or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weish\"aupl studied generic compositions of Encryption schemes and Message Authentication Codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC (EtM) and MAC-then-Encrypt (MtE) are not committing while Encrypt-and-MAC (EaM) is under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions.... (More)
- During recent years, research on authenticated encryption has been thriving through two highly active and practice-motivated research directions: provably secure leakage-resilience schemes and key- or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weish\"aupl studied generic compositions of Encryption schemes and Message Authentication Codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC (EtM) and MAC-then-Encrypt (MtE) are not committing while Encrypt-and-MAC (EaM) is under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions. Instead, while various leakage-resilient schemes follow blueprints inspired by generic compositions, they often tweak them for security and/or efficiency reasons.
We show that with careful selection of the underlying primitives such as equal encryption and authentication keys as well as a collision-resistant PRF as the MAC, these blueprints are committing. Our results do not contradict the results by Struck and Weishäupl since we pose more, but practically-motivated, requirements on the components. We demonstrate the practical relevance of our results by showing that our results on those blueprints allow to easily derive proofs that several state-of-the-art leakage-resilient schemes are indeed committing, including TEDT and its descendants TEDT2 and Romulus-T, as well as the single-pass scheme Triplex. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/8e864e7f-56f5-4d10-adfe-3469614f4c79
- author
- Dhar, Chandranan ; Ethan, Jordan ; Jejurikar, Ravindra ; Khairallah, Mustafa LU ; List, Eik and Mandal, Sougata
- organization
- publishing date
- 2024-06-18
- type
- Contribution to journal
- publication status
- published
- subject
- in
- IACR Transactions on Symmetric Cryptology
- volume
- 2024
- issue
- 2
- publisher
- Ruhr-Universität Bochum
- ISSN
- 2519-173X
- DOI
- 10.46586/tosc.v2024.i2.348-370
- language
- English
- LU publication?
- yes
- id
- 8e864e7f-56f5-4d10-adfe-3469614f4c79
- date added to LUP
- 2024-05-03 09:14:51
- date last changed
- 2024-06-19 10:13:37
@article{8e864e7f-56f5-4d10-adfe-3469614f4c79, abstract = {{During recent years, research on authenticated encryption has been thriving through two highly active and practice-motivated research directions: provably secure leakage-resilience schemes and key- or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weish\"aupl studied generic compositions of Encryption schemes and Message Authentication Codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC (EtM) and MAC-then-Encrypt (MtE) are not committing while Encrypt-and-MAC (EaM) is under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions. Instead, while various leakage-resilient schemes follow blueprints inspired by generic compositions, they often tweak them for security and/or efficiency reasons.<br/><br/>We show that with careful selection of the underlying primitives such as equal encryption and authentication keys as well as a collision-resistant PRF as the MAC, these blueprints are committing. Our results do not contradict the results by Struck and Weishäupl since we pose more, but practically-motivated, requirements on the components. We demonstrate the practical relevance of our results by showing that our results on those blueprints allow to easily derive proofs that several state-of-the-art leakage-resilient schemes are indeed committing, including TEDT and its descendants TEDT2 and Romulus-T, as well as the single-pass scheme Triplex.}}, author = {{Dhar, Chandranan and Ethan, Jordan and Jejurikar, Ravindra and Khairallah, Mustafa and List, Eik and Mandal, Sougata}}, issn = {{2519-173X}}, language = {{eng}}, month = {{06}}, number = {{2}}, publisher = {{Ruhr-Universität Bochum}}, series = {{IACR Transactions on Symmetric Cryptology}}, title = {{Context Committing Security of Leveled Leakage-Resilient AEAD}}, url = {{http://dx.doi.org/10.46586/tosc.v2024.i2.348-370}}, doi = {{10.46586/tosc.v2024.i2.348-370}}, volume = {{2024}}, year = {{2024}}, }